Subject: wuarchive ftpd Trojan
To: None <>
From: Michael Graff <>
List: current-users
Date: 04/06/1994 16:28:37
Just so you folk using wuarchive's super ftpd know about this...

------- Forwarded Message

Subject: Re: wuarchive ftpd Trojan
In-Reply-To: <2nutuq$>
Organization: Iowa State University, Ames, Iowa (USA)

In article <2nutuq$> you write:
}Well, finally has happened again. a major program has been trojaned.
}CERT advisory as always lacks any concrete information about it
}other than to say, you need to get the newest version.  
}It might be more useful to say what the trojan was.  or how 
}it was implemented because How do I know some intruder stick
}his trojan into the newest version of wu-ftp and sendmail as well?
}Id like to point out that 8lgm (Karl Strickland and Neil Woods)
}were contributors to the fact that CERT released this advisory.
}From Wed Apr  6 13:37:03 1994
}Received: from ( []) by ( with SMTP id NAA26148 for <>; Wed, 6 Apr 1994 13:37:02 -0400
}Received: from by (4.1/cert-5.2)
}        id AA00802; Wed, 6 Apr 94 13:21:26 EDT
}Received: by (5.65/2.5)
}        id AA02450; Wed, 6 Apr 94 12:54:39 -0400
}Message-Id: <>
}From: CERT Advisory <>
}Date: Wed, 6 Apr 94 12:51:16 EDT
}Subject: CERT Advisory - wuarchive ftpd Trojan Horse
}Organization: Computer Emergency Response Team : 412-268-7090
}Status: OR
}CA-94:07                         CERT Advisory
}                                 April 6, 1994
}                          wuarchive ftpd Trojan Horse
}The CERT Coordination Center has received confirmation that some copies
}of the source code for the wuarchive FTP daemon (ftpd) were modified by 
}an intruder, and contain a Trojan horse.
}We strongly recommend that any site running the wuarchive ftpd take steps 
}to immediately install version 2.3, or disable their FTP daemon.
}I.   Description
}     Some copies of the source code for versions 2.2 and 2.1f of the 
}     wuarchive ftpd were modified by an intruder, and contain a Trojan
}     horse.  If your FTP daemon was compiled from the intruder-modified 
}     source code, you are vulnerable.
}     It is possible that previous versions of the source code for the server 
}     were modified in a similar manner.
}     If you are running the wuarchive ftpd, but not providing anonymous FTP 
}     access, you are still vulnerable to this Trojan horse.
}II.  Impact
}     An intruder can gain root access on a host running an FTP daemon 
}     that contains this Trojan horse.
}III. Solution
}     We strongly recommend that any site running the wuarchive ftpd (version 
}     2.2 or earlier) take steps to immediately install version 2.3. 
}     If you cannot install the new version in a timely manner, you should 
}     disable FTP service.  It is not sufficient to disable anonymous FTP.  
}     You must disable the FTP daemon. 
}     Sites can obtain version 2.3 via anonymous FTP from, in the 
}     "/networking/ftp/wuarchive-ftpd" directory.  We recommend that you turn
}     off your FTP server until you have installed the new version.  
}     Be certain to verify the checksum information to confirm that you have
}     retrieved a valid copy.
}                        BSD        SVR4         
}     File               Checksum   Checksum    MD5 Digital Signature
}     -----------------  --------   ---------   --------------------------------
}     wu-ftpd-2.3.tar.Z  24416 181  30488 361   e58adc5ce0b6eae34f3f2389e9dc9197
}The CERT Coordination Center wishes to thank Bryan O'Connor and Chris Myers 
}of Washington University in St. Louis for their invaluable assistance in 
}resolving this problem.  CERT also gratefully acknowledges the help of
}Neil Woods and Karl Strickland.
}If you believe that your system has been compromised, contact the CERT
}Coordination Center or your representative in the Forum of Incident
}Response and Security Teams (FIRST).
}If you wish to send sensitive incident or vulnerability information to 
}CERT via electronic mail, CERT strongly advises that the e-mail be encrypted.
}CERT can support a shared DES key, PGP (public key available via
}anonymous FTP on, or PEM (contact CERT for details).
}Internet E-mail:
}Telephone: 412-268-7090 (24-hour hotline)
}           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
}           and are on call for emergencies during other hours.
}CERT Coordination Center
}Software Engineering Institute
}Carnegie Mellon University
}Pittsburgh, PA 15213-3890
}Past advisories, information about FIRST representatives, and other
}information related to computer security are available via anonymous
}FTP from
}Christopher William Klaus  Email:  Author:Inet Sec. Scanner
}2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.

------- End of Forwarded Message